Rethinking These Familiar Terms to Address New Ways of Working
Identity governance and lifecycle have always been fundamental to controlling user access and visibility into access activity in the workplace. But in a time when “the workplace” has been recast to mean every user’s home and a multitude of devices (including personal devices), these capabilities take on new meaning and importance. Identity governance suddenly isn’t just about who has access to what; it’s about where, how and why they have access. The meaning of identity lifecycle must be expanded, too, in light of the need to be concerned not just about securely enabling access to data, but about doing so when users aren’t inside a protected physical environment. Let’s look at some real-world examples of the identity management challenges remote work is creating, and at what it means to rethink identity governance and lifecycle to meet those challenges.
Identity Governance: Why It’s Different When Everyone’s Home (and What to Do About It)
Back when the majority of the workforce was literally “at work,” in the sense of being in a physical office space, we didn’t have to give nearly as much thought to where, how or why people were accessing systems and information, particularly sensitive information such as financial or health records. After all, they were doing it within a protected perimeter, on secure systems. And even if there was some remote work, it often only applied to only a relative few. But now that all the people who were in the office are at home, the where, how and why of access have become critical considerations for governance. For example, what about people in call centers who have traditionally been prohibited from even bringing their personal phones to work, much less using them at work – but who now have to do their jobs from home, likely using those very phones? In light of these and other new circumstances, we need to rethink governance to address not just who has access to what, but how, where and why they’re accessing what they’re accessing.
For many organizations, rethinking governance is going to mean instituting new controls; for example, I know someone in healthcare whose work with patient data has necessitated setting up a dedicated secure area in her home to comply with HIPAA requirements. Something else we’re seeing related to secure access in remote settings is a growing move in the direction of VDI, or virtual desktop infrastructure, through which endpoints in users’ homes are virtually connected to secure systems where sensitive data is maintained. With VDI, data is accessible to users so they can see it and interact with it, but it’s never stored on their endpoints. It stays back inside the relative safety of the organization’s protected perimeter, where it’s not exposed to the access risk associated with users working remotely.
Lifecycle Management: How a Remote Workforce Impacts Processes for Granting Access
In addition to considering the effects remote work has on identity governance, organizations also have to think about impact it has on the processes for granting access to data. As with governance, the where and how of user access become critical considerations for data security when users are remote. Should the process for enabling someone to access sensitive information be different when they’re accessing it outside the traditional perimeter, as in the example about healthcare data above? For organizations that have been relying on the basic username-password combination for authentication on-site, it makes sense to adjust the lifecycle process so that when someone requests access to sensitive data, the process automatically checks that they have the multi-factor authentication (MFA) capability required for that level of access – and if not, follows through with orchestration to enable MFA for them. And it’s not just access processes you have to think about; what about user behavior and awareness? Without the security that comes with an established perimeter, it also seems reasonable to consider additional training or certification for those accessing extremely sensitive data from a remote setting.
Recognizing that organizations the world over are just now settling into the new routine of remote work, I would also suggest it’s not too soon to start thinking about lifecycle management in terms of what happens when the remote workforce returns to the office. Granted, some organizations are looking at continuing with a remote workforce even after the urgency has passed. But most with whom I’ve had discussions are looking ahead to a time when many, if not all, workers will be able to return to the office. That is likely to require removing some entitlements that were appropriate when everyone shifted to working remotely, but aren’t needed when people go back on-site. And because of the scale of this shift to remote work and back again – where we’re talking about the whole workforce, not just a few people – these types of changes will be much easier to manage with the help of automated processes.
Next Time: Revisiting Initiatives You Back-Burnered in 2020 (Passwordless Authentication, Anyone?)
It seems like eons ago that we discussed passwordless authentication and the future of identity in this space, but it was actually just around the end of last year. Most people I talk to these days put that and other identity innovations on the back burner in early 2020, when we all were forced to start focusing attention on an unexpected and urgent need to stand up a fully remote workforce in very little time (over a weekend, in at least one case I was involved with). But I would urge everyone to think of innovations in identity in the context of this recent turn of events, rather than as something to be put aside until circumstances change. This is why next time, I’d like to look at why passwordless authentication may be just as important now as it was at the end of last year, if not more so. It’s an approach that can actually help organizations respond effectively to change on the scale we’re experiencing now – and will continue to experience for the foreseeable future.
Engage With Security Professionals at SecurityWeek’s Security Summit Virutal Event Series